House Committee on Government Reform
Subcommittee on Government Management, Information and
Technology

Hearing on H.R. 4246, the Cyber Security Information
Act

June 22, 2000
Washington, DC

Mr. Chairman and Members of the Subcommittee:

Thank you for providing me with the opportunity to appear
before the Subcommittee to address H.R. 4246, the Cyber Security
Information Act. The Electronic Privacy Information Center (EPIC)
makes frequent use of the Freedom of Information Act (FOIA) to
obtain information from the government about a wide range of
policy issues, including consumer privacy, electronic
surveillance, encryption controls and Internet content regulation.
We firmly believe that public disclosure of this information
improves government oversight and accountability. It also helps
ensure that the public is fully informed about the activities of
government. I have personally been involved with FOIA issues for
almost twenty years and have handled information requests on
behalf of a wide range of requesters. In 1982, I assisted in the
preparation of a publication titled Former Secrets, which
documented 500 instances in which information released under the
FOIA served the public interest. I am convinced that an updated
version of that book today would yield thousands of examples of
the benefits we all derive from the public access law that has
served as a model for other nations around the world.

EPIC and other members of the FOIA requester community have,
for many years, voiced concerns about various proposals to create
broad, wholesale exemptions from the Act's public disclosure
provisions. Most recently, EPIC has joined with other
right-to-know advocates, including scientific, journalistic,
library and civil liberties organizations, in questioning the need
for a new FOIA exemption, such as the one contained in H.R. 4246,
for information relating to the protection of critical
infrastructures. We collectively believe this exemption approach
is fundamentally inconsistent with the basic premise of the FOIA,
which, as the Supreme Court has recognized, is "to ensure an
informed citizenry, vital to the functioning of a democratic
society, needed to check against corruption and to hold the
governors accountable to the governed."1 To
accomplish that end, "[d]isclosure, not secrecy, is the
dominant objective of the Act."2

It is clear that, as we enter a new century and move further
into the electronic age, the federal government increasingly will
focus on the protection of critical infrastructures. It is equally
apparent that government policy in this emerging field will become
a matter of increased public interest and debate. EPIC has
monitored developments in this area since the creation of the
President's Commission on Critical Infrastructure Protection
(PCCIP) in July 1997. After the Commission issued its report, EPIC
published an analysis of the PCCIP's proposals (Critical
Infrastructure Protection and the Endangerment of Civil
Liberties3) which identified a
number of Commission recommendations that could threaten privacy,
extend the reach of federal law enforcement agencies, limit
mechanisms for government accountability and increase the level of
information classification and secrecy. While reasonable observers
can disagree over the advantages or disadvantages of the PCCIP's
proposals, or the more recent initiatives contained in the
Administration's National Plan for Information Systems Protection,
I believe we can all agree that critical infrastructure protection
raises significant public policy issues that deserve full and
informed public discussion.

Public disclosure of relevant information has already helped to
shape the scope of Administration policy on critical
infrastructure protection. An initial draft of the National Plan
called for the creation of the Federal Intrusion Detection Network
(FIDNET) which, as originally proposed, would have subjected
private sector computer networks to a potentially invasive
monitoring system administered by the Federal Bureau of
Investigation. After media accounts of the proposal were
published, negative public reaction resulted in a modified FIDNET
proposal, one that will be limited to government computer networks
and operated by the General Services Administration. Even as
modified, the FIDNET initiative raises significant legal issues;
last year, EPIC released a government memorandum, obtained under
the Freedom of Information Act, which indicated that the
Department of Justice was aware that the proposal could violate
federal wiretap laws. Other records we obtained under FOIA showed
that the government plans to use credit card records and telephone
toll records as part of the FIDNET system. It is this experience
that leads us to question the wisdom of removing information
concerning critical infrastructure protection from public
view.

Increasingly, government activity in this area will be
conducted in cooperation with the private sector and, accordingly,
will involve extensive sharing of information between the private
sector and government. H.R. 4246 contemplates an automatic,
wholesale exemption from the FOIA for "any cyber security
statements or other such information provided by a party in
response to a special cyber security data gathering request."
Given the breadth of the bill's definitions of "critical
infrastructure" and "cyber security," I believe the proposed
exemption would hide from the public essential information about
critically important -- and potentially controversial --
government activities undertaken in partnership with the private
sector. It could also adversely impact the public's right to know
about unsafe practices engaged in by the private operators of
nuclear power plants, water systems, chemical plants, oil
refineries, and other facilities that can pose risks to public
health and safety. In short, critical infrastructure protection is
an issue of concern not just for the government and industry, but
also for the public -- particularly the local communities in which
these facilities are located.

If the history of the FOIA is any guide, the proposed exemption
is likely to result in years of litigation as the courts are
called upon to interpret its scope. The potential for protracted
litigation brings me to what I believe is the most critical point
for the Subcommittee to consider, which is the need for the
proposed critical infrastructure exemption. FOIA caselaw developed
over the past 25 years makes it clear that existing exemptions
contained in the Act provide adequate protection against harmful
disclosures of the type of information we are discussing. For
example, information concerning the software vulnerabilities of
classified computer systems used by the government and by defense
contractors is already exempt under FOIA Exemption 1. Most
significantly, Exemption 4, which protects against disclosures of
trade secrets and confidential information, also provides
extensive protection from harmful disclosures. Because I believe
that Exemption 4 extends to virtually all of the material that
properly could be withheld from disclosure, I would like to
discuss briefly the caselaw that has developed in that area.

For information to come within the scope of Exemption 4, it
must be shown that the information is (A) a trade secret, or (B)
information which is (1) commercial or financial, (2) obtained
from a person, and (3) privileged or confidential. 4
The latter category of information (commercial information that is
privileged or confidential) is directly relevant to the issue
before the Subcommittee. Commercial or financial information is
deemed to be confidential "if disclosure of the information is
likely to have either of the following effects: (1) to impair the
government's ability to obtain the necessary information in the
future; or (2) to cause substantial harm to the competitive
position of the person from whom the information was
obtained."5 My understanding is that H.R. 4246
seeks to ensure that the government is able to obtain critical
infrastructure information from the private sector on a voluntary
basis, a concern which comes within the purview of Exemption 4's
"impairment" prong. The courts have liberally construed
"impairment," finding that where information is voluntarily
submitted to a government agency, it is exempt from disclosure if
the submitter can show that it does not customarily release the
information to the public.6 In essence, the
courts defer to the wishes of the private sector submitter and
protect the confidentiality of information that the submitter does
not itself make public.

In addition to the protections for private sector submitters
contained in FOIA Exemption 4 and the relevant caselaw, agency
regulations seek to ensure that protected data is not improperly
disclosed. Under the provisions of Executive Order 12600
(Predisclosure Notification Procedures for Confidential
Commercial Information) issued by President Reagan in 1987,
each federal agency is required to establish procedures to notify
submitters of records "that arguably contain material exempt from
release under Exemption 4" when the material is requested under
the FOIA and the agency determines that disclosure might be
required. The submitter is then provided an opportunity to submit
objections to the proposed release. The protections available to
private sector submitters do not end there; if the agency
determines to release data over the objections of the submitter,
the courts will entertain a "reverse FOIA" suit to consider the
confidentiality rights of the submitter.7

In light of the substantial protections against harmful
disclosure provided by FOIA Exemption 4 and the caselaw
interpreting it, I believe that any private sector reticence to
share important data with the government grows out of a
misperception of existing law. Indeed, the myth of inadequate
protection for such information could become a self-fulfilling
prophecy if these misperceptions are not corrected. Rather than
amending current law in an effort to address misperceived
deficiencies, federal efforts should be directed toward educating
and reassuring the private sector as to the broad confidentiality
protections provided by the FOIA. Failure to do so will merely
inaugurate a new generation of protracted litigation in an area
that has already consumed considerable judicial resources, while
creating new and unnecessary barriers to public access.

In summary, the Freedom of Information Act has worked extremely
well over the last 25 years, ensuring public access to important
information while protecting against specific harms that could
result from certain disclosures. After monitoring the development
of critical infrastructure protection policy for the last several
years, I have heard no scenario put forth that would result in the
detrimental disclosure of information under the current provisions
of the FOIA. Overly broad new exemptions could, however, adversely
impact the public's right to oversee important and far-reaching
governmental functions. I urge the Subcommittee and the Congress
to preserve the public's fundamental right to know.

David L. Sobel is General Counsel of the Electronic Privacy
Information Center in Washington, DC, a non-profit research
organization that examines the privacy implications of computer
networks, the Internet and other communications media. He has
litigated numerous cases under the Freedom of Information Act
(FOIA) seeking the disclosure of government documents on privacy
policy, including electronic surveillance and encryption controls.
Among his recent cases are those involving the Digital Signature
Standard, the Clipper Chip and the FBI's digital surveillance
proposal. Mr. Sobel also served as co-counsel in ACLU v.
Reno, the successful constitutional challenge to the
Communications Decency Act decided by the U.S. Supreme Court in
1997.

Mr. Sobel has a longstanding interest in civil liberties and
information access issues and has written and lectured on these
issues frequently since 1981. He was formerly counsel to the
National Security Archive, and his FOIA clients have included
Coretta Scott King, former Ambassador Kenneth Rush, the Nation
magazine and ABC News.

Mr. Sobel is a graduate of the University of Michigan and the
University of Florida College of Law. He is a member of the Bars
of Florida, the District of Columbia, the U.S. Supreme Court and
several federal Courts of Appeals.